APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believeis responsible for conducting financial crime on behalf of the NorthKorean regime, stealing millions of dollars from banks worldwide. Thegroup is particularly aggressive; they regularly use destructivemalware to render victim networks inoperable following theft. Moreimportantly, diplomatic efforts, including the recent Department ofJustice (DOJ) complaint that outlined attribution to North Korea, havethus far failed to put an end to their activity. We are calling thisgroup APT38.

We are releasing a special report, APT38: Un-usualSuspects, to expose the methods used by this active and seriousthreat, and to complement earlier efforts by others to expose theseoperations, using FireEye’s unique insight into the attacker lifecycle.

We believe APT38’s financial motivation, unique toolset, andtactics, techniques and procedures (TTPs) observed during theircarefully executed operations are distinct enough to be trackedseparately from other North Korean cyber activity. There are manyoverlapping characteristics with other operations, known as “Lazarus”and the actor we call TEMP.Hermit;however, we believe separating this group will provide defenders witha more focused understanding of the adversary and allow them toprioritize resources and enable defense. The following are some of theways APT38 is different from other North Korean actors, and some ofthe ways they are similar:

We find there are cleardistinctions between APT38 activity and the activity of other NorthKorean actors, including the actor we call TEMP.Hermit. Ourinvestigation indicates they are disparate operations againstdifferent targets and reliance on distinct TTPs; however, themalware tools being used either overlap or exhibit sharedcharacteristics, indicating a shared developer or access to the samecode repositories. As evident in the DOJ complaint, there are othershared resources, such as personnel who may be assisting multipleefforts.

A 2016Novetta report detailed the work of security vendorsattempting to unveil tools and infrastructure related to the 2014destructive attack against Sony Pictures Entertainment. This reportdetailed malware and TTPs related to a set of developers andoperators they dubbed “Lazarus,” a name that has become synonymouswith aggressive North Korean cyber operations.

Since then,public reporting attributed additional activity to the “Lazarus”group with varying levels of confidence primarily based onmalware similarities being leveraged in identified operations.Over time, these malware similarities diverged, as didtargeting, intended outcomes and TTPs, almost certainlyindicating that this activity is made up of multiple operationalgroups primarily linked together with shared malware developmentresources and North Korean state sponsorship.

Since at least 2014, APT38 has conducted operations in more than 16organizations in at least 11 countries, sometimes simultaneously,indicating that the group is a large, prolific operation withextensive resources. The following are some details about APT38 targeting:

The total number oforganizations targeted by APT38 may be even higher when consideringthe probable low incident reporting rate from affectedorganizations.

APT38 is characterized by long planning,extended periods of access to compromised victim environmentspreceding any attempts to steal money, fluency across mixedoperating system environments, the use of custom developed tools,and a constant effort to thwart investigations capped with awillingness to completely destroy compromised machinesafterwards.

The group is careful, calculated, and hasdemonstrated a desire to maintain access to a victim environment foras long as necessary to understand the network layout, requiredpermissions, and system technologies to achieve its goals.

On average, we have observed APT38 remain within a victimnetwork for approximately 155 days, with the longest time within acompromised environment believed to be almost two years.

Investigating intrusions of many victimized organizations hasprovided us with a unique perspective into APT38’s entire attacklifecycle. Figure 1 contains a breakdown of observed malware familiesused by APT38 during the different stages of their operations. At ahigh-level, their targeting of financial organizations and subsequentheists have followed the same general pattern:

Information Gathering: Conducted research into anorganization’s personnel and targeted third party vendors withlikely access to SWIFT systems to understand the mechanics of SWIFTtransactions.

Initial Compromise: Relied on watering holes and exploited aninsecure out-of-date version of Apache Struts2 to execute code on asystem.

Internal Reconnaissance: Deployed malware to gathercredentials, mapped the victim’s network topology, and used toolsalready present in the victim environment to scan systems.

Pivot to SWIFT Servers: Installed reconnaissance malware andinternal network monitoring tools on SWIFT systems to furtherunderstand how SWIFT is configured and being used. Deployed bothactive and passive backdoors on SWIFT systems to access segmentedinternal systems at a victim organization and avoid detection.

Transfer funds: Deployed and executed malware to insertfraudulent SWIFT transactions and alter transaction history.Transferred funds via multiple transactions to accounts set up inother banks, usually located in separate countries to enable moneylaundering.

APT38 is unique in that it is not afraid to aggressively destroyevidence or victim networks as part of its operations. This attitudetoward destruction is probably a result of the group trying to notonly cover its tracks, but also to provide cover for money laundering operations.

In addition to cyber operations, public reporting has detailedrecruitment and cooperation of individuals in-country to support withthe tail end of APT38’s thefts, including persons responsible forlaundering funds and interacting with recipient banks of stolen funds.This adds to the complexity and necessary coordination amongstmultiple components supporting APT38 operations.

Despite recent efforts to curtail their activity, APT38 remainsactive and dangerous to financial institutions worldwide. Byconservative estimates, this actor has stolen over a hundred milliondollars, which would be a major return on the likely investmentnecessary to orchestrate these operations. Furthermore, given thesheer scale of the thefts they attempt, and their penchant fordestroying targeted networks, APT38 should be considered a seriousrisk to the sector.